b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n             DHS Risk Assessment Efforts in the \n\n                       Dams Sector \n\n\n\n\n\nOIG-11-110                                    September 2011\n\x0c                                                              Office (if Inspector General\n\n                                                              u.s. Department of Homeland Security\n                                                              Washington, DC 20528\n\n\n\n\n                                                               Homeland\n                                                               Securi ty\n\n                   SEP 1 5 2011\n\n\n\n\n                                           Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department.\n\nThis report addresses the strengths and weaknesses of the Office of Infrastructure\nProtection\'s efforts to assess risk to critical infrastructure under a voluntary framework.\nIt is based on interviews with employees and officials of relevant agencies and\ninstitutions, direct observations, and a review of applicable documents,\n\nThe recommendation herein has been developed to the best knowledge available to our\noffice, and has been discussed in draft with those responsible for implementation. We\ntrust this report wil result in more effective, efficient, and economical operations. We\n\n\n                                       ~:;~\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                       Anne L. Richards\n                                       Assistant Inspector General for Audits\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary ........................................................................................................... 1 \n\n\nBackground ........................................................................................................................ 2 \n\n\nResults of Audit ................................................................................................................. 3 \n\n\n           Review of Risk Assessments ................................................................................. 4 \n\n\n           Security Reviews for Critical Dam Assets ............................................................. 4 \n\n\n           Mitigation of Identified Security Risks .................................................................. 5 \n\n\n           Conclusion ............................................................................................................. 6 \n\n\n           Recommendation ................................................................................................... 6 \n\n\n           Management Comments and OIG Analysis .......................................................... 6 \n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology ....................................................... 8 \n\n     Appendix B:           Management Comments to the Draft Report ..................................... 10 \n\n     Appendix C:           Major Contributors to this Report ...................................................... 13 \n\n     Appendix D:           Report Distribution ............................................................................ 14 \n\n\nAbbreviations\n     DHS                   Department of Homeland Security \n\n     FY                    fiscal year            \n\n     IP                    Office of Infrastructure Protection \n\n     OIG                   Office of Inspector General \n\n\x0cOIG\n \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                The protection of the Nation\xe2\x80\x99s critical infrastructure is one of the\n                primary missions of the Department of Homeland Security. The\n                National Infrastructure Protection Plan provides the strategy to\n                organize and carry out the national effort to protect 18 sectors of\n                critical infrastructure, one of which is the Dams Sector. Dams and\n                related structures are especially important because one catastrophic\n                failure at some locations could affect populations exceeding\n                100,000 and have economic consequences surpassing $10 billion.\n\n                The purpose of our review was to determine whether the Office of\n                Infrastructure Protection and other components of the Department\n                have taken steps to assess risk at the most critical dam assets, and\n                followed up to ensure that recommendations were implemented.\n\n                The Department lacks assurance that risk assessments were\n                conducted and that security risks associated with critical dam\n                assets were identified and mitigated. The Department did not:\n\n                       Review all critical dam asset risk assessments conducted by\n                       other agencies,\n                       Conduct security reviews for 55% of the critical dam\n                       assets, or\n                       Ensure that corrective actions were completed to mitigate\n                       risk when security gaps were identified.\n\n                The Department was unable to complete these tasks because it\n                does not have the necessary authority to ensure that security\n                partners participate in risk management activities, or that dam\n                owners/operators undergo departmental assessments and\n                implement corrective action.\n\n                We are making one recommendation to the Office of Infrastructure\n                Protection that, when implemented, will improve the Department\xe2\x80\x99s\n                efforts to secure the Dams Sector.\n\n\n\n\n                  DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                      Page 1\n \n\n\x0cBackground\n             Protecting the Nation\xe2\x80\x99s critical infrastructure is one of the primary\n             missions of the Department of Homeland Security (DHS). In\n             December 2003, Homeland Security Presidential Directive 7,\n             Critical Infrastructure Identification, Prioritization, and Protection,\n             established U.S. policy to enhance the protection of the critical\n             infrastructure and key resources of the United States. It tasked the\n             Secretary of DHS with coordinating the overall national effort and\n             serving as the principal federal official to lead, integrate, and\n             coordinate federal departments and agencies implementing the\n             policy.\n\n             The directive identified critical infrastructure sectors and\n             designated federal Sector-Specific Agencies to encourage risk\n             management strategies to protect against and mitigate the effects of\n             attacks against critical infrastructure and key resources. \xe2\x80\x9cSectors\xe2\x80\x9d\n             are logical collections of assets, systems, or networks that provide a\n             common function to the economy, government, or society.\n             Homeland Security Presidential Directive 7 established 17 such\n             sectors (with the 18th sector, Critical Manufacturing, added later).\n             The directive also assigned responsibility for individual sectors to\n             federal Sector-Specific Agencies. The DHS Office of Infrastructure\n             Protection (IP) is the Sector-Specific Agency for the Dams Sector.\n\n             The Dams Sector consists of dams, navigation locks, levees, and\n             other similar water retention and control facilities, collectively\n             known as \xe2\x80\x9cdam assets.\xe2\x80\x9d In fiscal year (FY) 2009, DHS identified\n             several hundred critical dam assets through the National Critical\n             Infrastructure Prioritization Program. This program, implemented\n             by IP, conducts an annual data call to the State Homeland Security\n             Advisors and Sector-Specific Agencies to identify infrastructure\n             that \xe2\x80\x9cwould, if destroyed or disrupted, cause national or regional\n             catastrophic effects.\xe2\x80\x9d\n\n             These critical dam assets are owned by private entities, federal\n             agencies, and state and local governments. Dam assets are\n             regulated by a variety of entities. For example, state dam safety\n             offices regulate some dams; federal agencies that own and operate\n             dams, such as the U.S. Army Corps of Engineers, are self-\n             regulating; and the Federal Energy Regulatory Commission\n             regulates most hydroelectric facilities.\n\n             Homeland Security Presidential Directive 7 mandated the\n             development of a National Plan for Critical Infrastructure and Key\n             Resources Protection to integrate critical infrastructure protection\n\n                DHS Risk Assessment Efforts in the Dams Sector\n\n\n                                    Page 2\n\n\x0c                    efforts by governments, the private sector, international\n                    organizations, and foreign governments into a single national\n                    program. The first National Infrastructure Protection Plan was\n                    released in 2006. The National Infrastructure Protection Plan\n                    development and support is carried out within a largely voluntary\n                    partnership framework. The National Infrastructure Protection\n                    Plan includes the Critical Infrastructure Partnership Advisory\n                    Council, a legal framework to organize the asset owners, operators,\n                    and federal, state, local, and tribal government entities in sector\n                    planning, collaboration, and information sharing. An outcome of\n                    this partnership is the development of Sector-Specific Plans.\n\n                    As the Sector-Specific Agency for dams, IP\xe2\x80\x99s responsibilities\n                    include identifying, assessing, and prioritizing dam sector assets.\n                    The IP\xe2\x80\x99s Dams Branch is responsible for sector-wide risk\n                    assessments. To accomplish its goals, IP partners with the Bureau\n                    of Reclamation, U.S. Army Corps of Engineers, Federal Energy\n                    Regulatory Commission, Federal Emergency Management\n                    Agency, and state governments.\n\nResults of Audit\n     DHS lacks assurance that risk assessments were conducted and security risks\n     associated with critical dam assets were identified and mitigated. Specifically, the\n     Department did not:\n\n            Review all critical dam asset risk assessments conducted by other\n            agencies,\n            Conduct security reviews for 55% of the critical dam assets as of March\n            2011 to assess their overall security posture, or\n            Ensure that corrective actions were completed to mitigate risk when\n            security gaps were identified.\n\n     DHS was unable to complete these tasks because it does not have the authority to\n     ensure that security partners participate in risk management activities or that dam\n     owners undergo departmental assessments and implement corrective action. The\n     National Infrastructure Protection Plan prescribes a partnership approach between\n     government and the private sector to voluntarily manage risk. Underlying\n     legislation does not give the Department the necessary authority to ensure that\n     security partners participate in risk management activities, or that dam owners\n     undergo departmental assessments and implement corrective action. DHS could\n     not always obtain cooperation from its security partners and dam owners, and did\n     not always collaborate successfully. This collaborative approach can succeed only\n     if security partners and dam owners work together to perform risk management.\n\n\n\n                       DHS Risk Assessment Efforts in the Dams Sector\n\n\n                                           Page 3\n\n\x0cReview of Risk Assessments\n     IP cannot determine whether security risks at critical dam assets have been\n     identified and mitigated because it has not obtained and reviewed the\n     adequacy of risk assessments at critical assets. As a result, IP does not\n     know whether all critical dam assets have undergone risk assessments, or\n     the quality of those that were performed. IP contends that its federal\n     partners do review asset-specific security risk assessments in accordance\n     with well-established internal directives and policies. However, it\n     indicated that it does not have the authority to require official evidence of\n     such reviews to be provided under the National Infrastructure Protection\n     Plan\xe2\x80\x99s voluntary framework. Unless DHS verifies the existence and\n     quality of the risk assessments, IP cannot ensure that critical dam assets\n     are protected.\n\nSecurity Reviews for Critical Dam Assets\n     IP has conducted security reviews for only 45% of the critical dam assets\n     to assess their overall security posture. IP does not know the security\n     posture for the remaining 55% of the critical dam assets.\n\n     For IP to conduct a security review, the owner/operator must voluntarily\n     collaborate with IP. Two types of security assessments conducted by IP\n     are Enhanced Critical Infrastructure Protection Security Surveys and Site\n     Assistance Visits.\n\n            Enhanced Critical Infrastructure Protection Security Surveys\n            involve a survey of assets of national significance, based primarily\n            on a questionnaire completed through an interview, or a partial or\n            full site review. Information is obtained on a facility\xe2\x80\x99s security\n            force, physical security, access controls, and surveillance and\n            detection capabilities.\n\n            Site Assistance Visits are non-regulatory risk-informed\n            vulnerability assessments that assist an owner or operator with\n            identifying and documenting critical infrastructures, vulnerabilities,\n            protective measures, planning needs, and options for consideration\n            to increase protection from, and resilience to, a wide range of\n            hazards.\n\n     Figure 1 illustrates IP\xe2\x80\x99s assessment of assets identified during the FY 2009\n     National Critical Infrastructure Prioritization Program.\n\n\n\n\n               DHS Risk Assessment Efforts in the Dams Sector\n\n\n                                   Page 4\n\n\x0c             Figure 1. IP Security Reviews\n\n\n\n\n                                                             Surveys Only, 34%\n\n\n\n\n                             None, 55%\n\n                                                                  Surveys &\n                                                              Assessments, 7%\n\n                                                          Assessments Only,\n                                                                 4%\n\n\n\n\n             Source: Office of Inspector General (OIG) analysis of IP reviews.\n\n      We reviewed 94% of the IP-completed survey questionnaires and found\n      that 47% of the asset owners were not completing vulnerability\n      assessments, not sharing vulnerability assessments with DHS, or not\n      implementing \xe2\x80\x9coptions for consideration\xe2\x80\x9d from the vulnerability\n      assessments. The term \xe2\x80\x9cvulnerability assessments\xe2\x80\x9d has been used\n      interchangeably with risk assessments and includes a wide range of risk\n      and vulnerability assessment methodologies used by security partners in\n      the Dams Sector. Unless IP verifies the existence and quality of the risk\n      assessments, it cannot ensure that critical dam assets are protected.\n\n      According to one IP Protective Security Advisor, dam owners and\n      operators tend to be more concerned with daily operations than with\n      preparing for possible future catastrophes; unless an asset\xe2\x80\x99s regulatory\n      agency requires a vulnerability assessment, it likely will not be done.\n      Protective Security Advisors said that some asset operators did not have\n      the authority to release the results of vulnerability assessments. Although\n      IP could have requested these vulnerability assessments through the asset\n      owners\xe2\x80\x99 regulatory agencies, it chose not to do so in the instances\n      reviewed.\n\nMitigation of Identified Security Risks\n      Our review of IP-completed survey questionnaires revealed gaps in\n      security controls at critical dam assets. Similarly, our review of the\n      IP-completed site assistance visits at critical dam assets identified\n      numerous security gaps. When DHS personnel identify security\n      weaknesses during site assistance visits, they provide the owner with\n      \xe2\x80\x9cOptions for Consideration,\xe2\x80\x9d which are corrective actions designed to\n      mitigate the security risks. However, implementation of the corrective\n      actions is at the discretion of the facility owner because the Department\n                DHS Risk Assessment Efforts in the Dams Sector\n\n\n                                    Page 5\n\n\x0c                 has no regulatory authority over the dams. As such, DHS cannot enforce\n                 its recommendations.\n\n                 In contrast to the Dams Sector, which operates outside of DHS\xe2\x80\x99 regulatory\n                 reach, the Department of Homeland Security Appropriations Act of 2007\n                 provided DHS with the authority to regulate the security of high-risk\n                 chemical facilities. Section 550 of the act requires the Secretary of DHS\n                 to promulgate interim final regulations \xe2\x80\x9cestablishing risk-based\n                 performance standards for security of chemical facilities\xe2\x80\x9d that the\n                 Secretary determines present high levels of security risk. The act and its\n                 implementing regulations mandate audits and inspections to determine\n                 compliance with the regulations, provide for civil penalties for violation of\n                 an order issued under the act, and allow the Secretary to order a facility to\n                 cease operations if it is not in compliance with the requirements.1\n\n        Conclusion\n                 The absence of security reviews, combined with the inability to require\n                 asset owners to mitigate security vulnerabilities when assessments are\n                 conducted, has prevented the Department from identifying and mitigating\n                 security risks. DHS needs authority to review risk assessments, conduct\n                 inspections when assessments are deficient, and make recommendations\n                 for corrective actions.\n\n        Recommendation\n                 We recommend that the Assistant Secretary, Office of Infrastructure\n                 Protection:\n\n                 Recommendation #1: Determine the appropriateness of a legislative\n                 proposal to establish regulatory authority for the critical Dams Sector\n                 assets similar to the Chemical Sector. Specifically, DHS personnel need\n                 authority to review risk assessments, conduct inspections when assessments\n                 are deficient, and make recommendations for corrective actions.\n\n        Management Comments and OIG Analysis\n                 In its response to the draft report, the National Protection and Programs\n                 Directorate/Office of Infrastructure Protection provided additional\n                 information regarding the specific agency responsibilities involved within\n                 a voluntary framework. The Directorate noted that criteria for\n                 determining critical assets were recently refined, resulting in a lower\n                 number of critical assets and a corresponding increase in the percentage of\n\n1\n Implementing regulations for Section 550 of the Department of Homeland Security Appropriations Act of\n2007 are at Title 6 of the Code of Federal Regulations, Part 27.\n\n                            DHS Risk Assessment Efforts in the Dams Sector\n\n\n                                                Page 6\n\n\x0cassets assessed by the Directorate. As many agencies at the federal and\nstate level oversee the safety and security of dams, the robustness of\nsecurity programs varies greatly, as it is directly influenced by regulatory\nagency level of authority and available resources. Finally, the Directorate\nnoted that voluntary implementation of options for consideration to\nowners and operators are presented to illustrate the benefits of such\nimprovements, rather than providing top-down management as a\nregulatory authority might do.\n\nThe Directorate concurred with the recommendation to determine the\nappropriateness of a legislative proposal. The Directorate is beginning\nwork and research to make that determination and a subsequent\nrecommendation for action. As part of the continuous review of the\neffectiveness of the partnership framework, this analysis will provide\ninsight into new programs and refinements of current initiatives needed to\naddress any critical gaps. The Directorate will coordinate with internal\nDHS stakeholders, including the Offices of General Counsel and\nLegislative Affairs, and representatives from federal and state agencies\ncurrently responsible for the regulation of critical Dams Sector assets, as\npart of its analysis of the appropriateness of a legislative proposal.\n\nWe agree that the planned corrective action adequately addresses the\nrecommendation. However, the recommendation will remain open and\nunresolved until a target date for completion of the analysis is provided.\n\n\n\n\n          DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                              Page 7\n \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                   The purpose of our review was to determine whether IP and other\n                   components of the Department have identified and taken steps to\n                   assess risk at the most critical dam assets, and followed up to\n                   ensure that recommendations were implemented.\n\n                   We met with divisional offices within IP under the DHS Directorate\n                   for National Protection and Programs, including the Sector-Specific\n                   Agency Executive Management Office, Protective Security\n                   Coordination Division, Infrastructure Analysis & Strategy Division,\n                   and the Infrastructure Information Collection Division. We also\n                   interviewed security partners, including the Bureau of Reclamation;\n                   U.S. Army Corps of Engineers; Federal Energy Regulatory\n                   Commission; Federal Emergency Management Agency; and the\n                   states of Maryland, New Jersey, New York, Tennessee, and Texas.\n\n                   We reviewed relevant Government Accountability Office and OIG\n                   reports, the Homeland Security Act of 2002, Critical Infrastructure\n                   Information Act of 2002, Post-Katrina Emergency Management\n                   Reform Act of 2006, Implementing Recommendations of the 9/11\n                   Commission Act of 2007, Homeland Security Presidential Directive\n                   7, National Infrastructure Protection Plan, and the Dams Sector-\n                   Specific Plan. We obtained minutes from selected meetings\n                   between June 2007 and November 2009 of the Dams Sector Joint\n                   Government Coordinating Council and the Sector Coordinating\n                   Councils as part of the Critical Infrastructure Partnership Advisory\n                   Council.\n\n                   We reviewed IP Enhanced Critical Infrastructure Protection\n                   Security Surveys and Site Assistance Visits to determine the\n                   security weaknesses at the critical dam assets. We contacted other\n                   infrastructure sectors to understand the processes they used in\n                   assessing risk within their respective sectors. We also contacted\n                   members of the Sector Coordinating Council to understand the\n                   concerns of the private sector in assessing and mitigating risks at\n                   their facilities.\n\n                   We examined regulations issued by DHS that apply to high-risk\n                   chemical facilities. We also compared risk-based performance\n                   standards at high-risk chemical facilities with existing security\n                   controls at critical dam assets.\n\n                   We conducted this performance audit between January 2010 and\n                   March 2011 pursuant to the Inspector General Act of 1978, as\n                   amended, and according to generally accepted government\n                   auditing standards. Those standards require that we plan and\n                   perform the audit to obtain sufficient, appropriate evidence to\n                     DHS Risk Assessment Efforts in the Dams Sector\n\n\n                                         Page 8\n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                   provide a reasonable basis for our findings and conclusions based\n                   upon our audit objectives. We believe that the evidence obtained\n                   provides a reasonable basis for our findings and conclusions based\n                   upon our audit objectives.\n\n\n\n\n                     DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                         Page 9\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                                                                                           OffiCi! I1fl"~ UndO\'S\xc2\xabrdury\n                                                                                           NlJti(1HlJ/ PrIJf\xc2\xabt11J1f IJlfd Prog,1J1ItS Dir\xc2\xabtOt"Qtt\n                                                                                           U.s. O"p.r1mfnl of Ilomtbnd S\xc2\xaburilY\n                                                                                           W.shln\xc2\xabton. DC 2OS28\n\n\n                                                                                    "iQ. Homeland\n                                                       JUL 2 0 2011                 9               Security\n          Anne L. Richards\n          Assistant Inspector General for Audits\n          Office of Inspector General\n          U.S. Department of Homeland Security\n          Washington, DC 20528\n\n          Dear Ms. Richards:\n\n          Re: DIG Project No. I0-002-AUD-DJ-IS, DHS Risk Assessment Efforts in the Dams\n          Sector\n\n          The Department of Homeland Security (DHS)/National Protection and Programs\n          Directorate (NPPD) appreciates the opportunity to review and respond to the Office of\n          Inspector General (DIG) draft report OIG Project No. IO\xc2\xb7002-AUD-DI-IS, DNS Risk\n          Assessment Efforts in the Dams Sector. This audit was conducted to determine whether\n          the Office of Infrastructure Protection (IP) and other components of the Department have\n          (I) taken steps to assess risk at the most critical dam assets and (2) followed up to ensure\n          that owners and operalors have implemented recommendations. NPPD and IP arc\n          working to resolve the issues identified in the report.\n\n          The OIG report presents an evaluation of risk assessment efforts associated with these\n          critical assets. We provide the following infonnation to augment their discussion and\n          provide a more comprehensive picture of the current landscape of risk assessment efforts\n          in the Dams Sector, including\n\n               \xe2\x80\xa2   risk assessment responsibilities of DHS as the Dams Sector-Specific Agency\n                   (SSA) and lead for the overall national effort to enhance critical infrastructure\n                   protection;\n               \xe2\x80\xa2   updated data since fieldwork was completed;\n               \xe2\x80\xa2   the current regulatory framework; and\n               \xe2\x80\xa2   our efforts to have asset owners voluntarily follow up on options for\n                   consideration.\n\n          First, DHS and SSA responsibilities with respect to risk assessments include\n          "coordinating, facilitating, and supporting comprehensive risk assessment and risk\n          management programs" for high-risk assets and systems.- In a voluntary framework,\n          DHS does this through conducting voluntary vulnerability assessments and security\n          surveys on critical infrastructure at the owner/operators\' request, supporting other\n\n           I U.s. DepartmCni of Homeland Security, Nationallnfraslructure Proleclion Plan, 2009: p. 17.\n\n\n\n\n                              DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                                         Page 10\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n          Federal, State, local, tribal, and territorial partners in their assessments as requested, and\n          conducling risk analysis on the sector as a whole. The SSA also provides valuable tools\n          to the private sector owners and operators to allow thcm to do their own facility-level\n          assessments.\n\n          Second, the OIG report is based on the facilities identified as critical through the Fiscal\n          Year CFY) 2009 National Critical Infrastructure Prioritization Program (NCIPP) data call.\n          The NCIPP criteria were significantly refined after FY 2009. Consequently, the total\n          number of dams deemed critical has decreased, and the percentages of assets assessed by\n          NPPDIIP have increased.\n\n          Third, a number of different agencies at the Federal and State levels of government\n          oversee the safety and security of dams. Considering the most recent data. most\n          (approximately 80 percent) of critical dam assets in the FY 2011 NCIPP list are owned,\n          operated, and/or regulated by Federal agencies, such as the U.S. Anny Corps of\n          Engineers, U.S. Bureau of Reclamation, U.S. International Boundary and Water\n          Commission, Tennessee Valley Authority, and Federal Energy Regulatory Commission.\n          These agencies have robust programs for identifying critical assets, completing facility\xc2\xad\n          level security risk assessments, detennining the necessary level of protection,\n          implementing security programs, and/or assessing perfonnance. The remaining assets in\n          the FY 2011 NCIPP list fait under the jurisdiction of State agencies which, in most cases,\n          have regulatory responsibility over dam safety issues. The robustness of the dam security\n          programs implemented by these State regulatory agencies is directly influenced by their\n          level of authority and available resources, which is quite varied.\n\n          Fourth, DHS and SSA engagement with the Dams Sector is conducted in a voluntary\n          framework-there is no associated enforcement aulhority. Within this voluntary\n          framework, we believe it is important to work as partners with our stakeholders.\n          NPPDIIP presents the voluntary implementation of options for consideration to owners\n          and operators as a business case, illustrating the benefits such improvements would have\n          for operations of that facility, rather than providing top down management as an\n          organization with regulatory authority might do. PPD/IP is currently expanding and\n          refining a new voluntary program to follow up on actions taken after our assessments. So\n          far, the program is well received by the Dams Sector.\n\n          OIG Recommendalion\n\n          The OIG recommended that the Assistant Secretary, Office oflnfrastructure Protection,\n          detennine the appropriateness of a legislative proposal to establish regulatory authority\n          for the critical Dams Sector assets similar to the Chemical Sector. The OIG clarified that\n          such regulatory authority would grant DHS personnel authority to review risk\n          assessments, conduct inspections when assessments are deficient, and make\n          recommendations for corrective actions. NPPD/IP concurs with the recommendation to\n          detemline the appropriateness of a legislative proposal, and we are beginning work and\n          research to make that determination and a subsequent recommendation.\n\n\n                                                         2\n\n\n\n\n                            DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                                    Page 11\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n          As part of the continuous review of the cfTectiveness of the partnership framework, this\n          analysis will provide insight into new programs and refinements of current initiatives\n          needed to address any critical gaps. PPD/IP will coordinate with internal DHS\n          stakeholders, including the Offices of General Counsel and Legislative Affairs, and\n          representatives from Federal and State agencies currently responsible for the regulation\n          of critical Dams Sector assets as part of its analysis of the appropriateness of a legislative\n          proposal.\n\n          Again, we thank you for the opportunity to review and provide comment on this draft\n          report, and look forward to working with you on future homeland security engagements.\n\n                                                         Sincerely,\n\n\n\n                                                         Rand Beers\n                                                         Under Secretary\n\n\n           AUachments\n\n          I) Sensitivity Review\n          2) Technical comments\n\n\n\n\n                                                         3\n\n\n\n\n                           DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                                    Page 12\n \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n                    Michael Siviy, Director\n                    Dennis Deely, Audit Manager\n                    Kevin Donahue, Auditor\n                    Anthony Colache, Program Analyst\n                    Ebenezer Jackson, Program Analyst\n                    Ashley Smith, Program Analyst\n                    Kathleen Hyland, Referencer\n\n\n\n\n                      DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                         Page 13\n \n\n\x0cAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Under Secretary for National Protection and Programs Directorate\n                      Assistant Secretary for Office of Infrastructure Protection\n                      Director, GAO-OIG Audit Liaison Office for the National\n                         Protection and Programs Directorate\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                        DHS Risk Assessment Efforts in the Dams Sector\n \n\n\n                                           Page 14\n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'